Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is there anything infecting my computer?


  • Please log in to reply
11 replies to this topic

#1 Groffeaston

Groffeaston

  • Members
  • 518 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easton,PA
  • Local time:06:49 PM

Posted 25 April 2016 - 05:25 PM

Hello everyone.

 

I opened my Firefox Browser earlier today and then got a popup screen saying that my Adobe flash needed to be updated. I click to update, but then when I tried to open the download file I received a Warning message stating that that specific file is not downloaded very often and may be a "P.U.P" do you want to continue? I clicked "yes" I did not take notice what the exact file name was at that time. It did not load up as it normally does. I assumed it failed to load which happened before. So I clicked to download again got the same warning message, and then notice that the file name was a little odd after I clicked to open the download. What do I mean by "odd"?  Well it was NOT from Adobe like it normally would be! So I tried to cancel or stop the download, but was unable to. That is when my problems began!  After the "Program" loaded up, the program "Windows Shell" crashed and was forced to closed. Then my Firefox web browser went crazy!! It started to load up multiple times when I went to close it!!! So I was forced to restart my computer.

What have I done since then? I closed my web browser but it said my web browser was open, so I clicked to close it again from the pop up box, then I tried to run Microsoft Security Essentials and it froze up after running to a certain point. So I restarted my computer and then updated and ran SUPERAntiSpyware Free after a new version was updated.  I closed my web browser, but it said my web browser was open. So I clicked to close it again from the little pop up box. Then ran SUPERAntiSpyware Free  The only things that showed up were Cookies. 

I have not ran any other scans as of yet.

Please NOTE: I am going in the hospital tomorrow morning April 26, 2016 for back surgery and will be in for at least 3 to 5 days and probably will not be able to be on my computer for at least a week or 2 after that, depending on how I am feeling.

So why then ask for help now? Because it just happened and I want to try and find out if I have anything bad on my computer!



BC AdBot (Login to Remove)

 


#2 Groffeaston

Groffeaston
  • Topic Starter

  • Members
  • 518 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easton,PA
  • Local time:06:49 PM

Posted 25 April 2016 - 08:40 PM

I checked the Problem Reports and there are several new reports for: Product: Antimalware Service Executable  Problem: Mp Telemetry.  That showed up 5 times and Product: Microsoft Windows Search Filter Host   Problem: Stopped working. That showed up 2 times.  

When I clicked "View details" here is what it said on all of them: "Windows can't display the problem details because the report has been deleted or changed."   That NEVER EVER Happened before!!!! 

Can someone help me try and start to figure some of this out before I go into the hospital tomorrow morning or Should I wait until I come home and get healed up and I am able to work on my computer?

I wanted to get a "jump on it" because it is fresh on my mind, But unfortunately it happened today the day before I go in for surgery. That is why I do not want to wait and let it set and infect my computer any more. But the one scan did not find anything except cookies. But I had something like this before: I ran several scans and nothing showed up, but then later my computer really started acting up and then it showed up, but by that time I had to re-install my OS and reset my computer to factory condition.   I am worried that with me not being able to scan my computer for at least a week or 2 maybe longer that whatever caused this "issue" may grow or cause more damage, before I can detect it. 
 



#3 Groffeaston

Groffeaston
  • Topic Starter

  • Members
  • 518 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easton,PA
  • Local time:06:49 PM

Posted 25 April 2016 - 10:39 PM

Hello everyone,

It turns out my computer is infected BIG TIME!!!!!!!  3 Really NASTY Mother F**KER's!!!  I initially ran SUPERAntiSpyware Free that did not pick them up!! Then I ran Rkill, it did not pick them up! Then Microsoft Security Essentials ran and that Picked them up!!! I did what the recommended process was. But they keep coming back!!!! 

The 3 Infections are:

Trojan: Win32/Kovter.gen!a

Trojan: Win32/Kovter.I

 

Rogue: JS/FakeCall.D 

All 3 show alert levels of: SEVERE!!! I keep trying to get rid of them but they keep coming back!!! I am in desperate need of HELP!!!!



#4 Slurppa

Slurppa

  • Malware Study Hall Senior
  • 564 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:49 AM

Posted 26 April 2016 - 04:13 AM

Hello Groffeaston

Sorry to hear about your problems.

When Adobe requested update did it show screen like this?
bogus-flash-update-malware-1.png

Download 51a46ae42d560-malwarebytes_anti_malware.MalwareBytes Anti-Malware to your desktop.
  • Double-click mbam-setup-2.0.exe to start the installation of Malwarebytes Anti-Malware.
  • Follow the instructions on your screen to complete the installation. You can find the complete installation procedure here.
  • Click the Scan Now button, a threat scan will start automatically.
  • MalwareBytes Anti-Malware will now check for the latest updates. Click Update Now if new updates are available.
  • Your computer is now being scanned, please do not use your computer during the scan.
  • If no threats were found, click View detailed log.
    • Click Export and save the log as a .txt file on your Desktop or another location.
  • If the scan detected any threats, click Apply Actions.
    • To complete any actions taken you will be prompted to restart your computer...click on Yes.
    • After reboot, start Malwarebytes Anti-Malware again and click the History Tab at the top and select Application Logs.
    • Check the box next to Scan Log. Choose the most current scan and click View.
    • Click Export and save the log as a .txt file on your Desktop or another location.
Providing the MalwareBytes' Anti-Malware log file
  • Attach the log file you just saved to your next reply for further review.
 
If you are still having problems after surgery feel free to post to this thread or PM me.

I hope your surgery goes well :)

Member of the Bleeping Computer A.I.I. early response team!


#5 Groffeaston

Groffeaston
  • Topic Starter

  • Members
  • 518 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easton,PA
  • Local time:06:49 PM

Posted 29 April 2016 - 05:01 PM

Hello I will do 2 posts. I will update my health and answer your question about the adobe update.

I got home from the hospital last evening,Thursday April 28, 2016, about 8:00pm. My surgery went well doc said the nerves were rubbed pretty raw by both the bulging disc and the slippage of the spine, so it was pretty good that I had the surgery when I did! That would explain most of my "problems" I have been experiencing. I was arrived at the hospital at 10:30am and was supposed to have my surgery at 12:30pm but the other surgeries before me went longer than expected, and there was also an emergency surgery thrown in there and I did not have my surgery until 7:30pm!! lol 

I have only experienced one problem since my surgery, but it is mostly related to my back problems. The problem is I am retaining too much urine in my bladder. In other words I am not emptying enough when I go pee. So I came home with a little friend, a Foley catheter. lmao I just have to empty it every few hours.  I had this experience before when I had my weight loss surgery in 2013.

Now to answer you question about how did the screen look when adobe asked to update: Yes it looked exactly like you showed in the above post and since then I have been having problems! Microsoft Security Essentials keeps picking up the one "program" and then quarantining" it and then I delete it from the list. but then after I either reset or turn off and then later turn back on my computer it pops back up!!   I will download and run MBAM and post the log next time I am on my computer.
 



#6 Groffeaston

Groffeaston
  • Topic Starter

  • Members
  • 518 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easton,PA
  • Local time:06:49 PM

Posted 29 April 2016 - 06:14 PM

Hello,
 
When I restarted my computer, Microsoft Security Essentials Alerted that it picked up on the items again!

Here is the results from the MBAM scan:

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 4/29/2016
Scan Time: 6:08:06 PM
Logfile: MBAM Scan.txt
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.04.29.07
Rootkit Database: v2016.04.17.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows Vista Service Pack 2
CPU: x86
File System: NTFS
User: Matthew

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 357496
Time Elapsed: 30 min, 3 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 5
PUP.Optional.CrossRider, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{58674913-6CC4-4013-A85A-23936A49D200}, Quarantined, [a5f6d9db6138b3838d8fbf6f798b14ec],
PUP.Optional.CrossRider, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{7D488B34-6F42-44D7-9DAC-7CEF6A799DB5}, Quarantined, [4e4d4e667029d4629c82c8660400659b],
PUP.Optional.CrossRider, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{D9DB7391-61ED-426E-9CB2-E8E352981587}, Quarantined, [0b90eaca3a5f45f16fae79b5d23207f9],
PUP.Optional.Bandoo.AppFlsh, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{FF4B1849-C555-48F2-A40E-CB3A156B4252}, Quarantined, [0695a90b95044fe79443faa0a2626f91],
PUP.Optional.DriverUpdate, HKLM\SOFTWARE\SLIMWARE UTILITIES INC\DriverUpdate, Quarantined, [d3c8862e43567db936d6ea47c04430d0],

Registry Values: 5
PUP.Optional.CrossRider, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{58674913-6cc4-4013-a85a-23936a49d200}|AppName, VisualBee-bg.exe, Quarantined, [a5f6d9db6138b3838d8fbf6f798b14ec]
PUP.Optional.CrossRider, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{7d488b34-6f42-44d7-9dac-7cef6a799db5}|AppName, VisualBee-codedownloader.exe, Quarantined, [4e4d4e667029d4629c82c8660400659b]
PUP.Optional.CrossRider, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{d9db7391-61ed-426e-9cb2-e8e352981587}|AppName, VisualBee-buttonutil.exe, Quarantined, [0b90eaca3a5f45f16fae79b5d23207f9]
PUP.Optional.Bandoo.AppFlsh, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{FF4B1849-C555-48F2-A40E-CB3A156B4252}|AppPath, C:\PROGRA~1\WI83E4~1\Datamngr\ToolBar, Quarantined, [0695a90b95044fe79443faa0a2626f91]
PUP.Optional.CrossRider.Generic, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_BROWSER_EMULATION|VisualBee-bg.exe, 8000, Quarantined, [4f4c05af75244bebb1fe5d5792728d73]

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 3
PUP.Optional.DriverUpdate, C:\Users\Matthew\Downloads\DriverUpdate-setup.exe, Quarantined, [9b006153c1d833032676a4accd34c739],
Trojan.Kovter, C:\Users\Matthew\Downloads\FlashPlayer (1).exe, Quarantined, [1c7f14a05940979f85c0161ed72b0cf4],
PUP.Optional.APNToolBar, C:\Users\Matthew\AppData\Local\Downloaded Installations\{3A689B30-F482-4D55-9B4D-E5638B4F55E1}\The Weather Channel App.msi, Quarantined, [5744942031682b0b6e94d7787988bc44],

Physical Sectors: 0
(No malicious items detected)


(end)

 

From what I have previously read elsewhere about the 3 items I mentioned in a previous post above, they tend to be very very difficult to remove.  I sometimes tend to be very very stubborn myself! LOL 

 



#7 Slurppa

Slurppa

  • Malware Study Hall Senior
  • 564 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:49 AM

Posted 30 April 2016 - 04:38 AM

Greetings Groffeaston!
 
Glad to hear your surgery went well :)
 

Yes it looked exactly like you showed in the above post and since then I have been having problems!

 
Those are fake alerts that lure you into installing malware or other product. Good rule of thumb is to only update software from their official pages or through their designated updater on your computer. Are you still getting that screen when you open your browser or was it on some particular website?
 
Lets check if that Kovter is still present.

:step1: Download following files to your desktop. Don't run them yet! :step2: Please download Rkill by Grinler and save it to your desktop.
  • Link 1
  • Link 2
    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista/Windows7, right-click on it and Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • If the tool does not run from any of the links provided, please let me know.
  • Do not reboot the computer, you will need to run the application again.
:step3:
  • Now go to your desktop and run the program FixTool32.exe you downloaded.
  • Click on Start to start the removal process.
  • After scan is complete it will show logfile. Save it somewhere you can find it.
:step4: ESET Online Scanner
  • Right click on esetsmartinstaller_enu.exe in your desktop and select Run as Administrator.
  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats (only available if ESET Online Scanner found something).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.
Include following logs in your next post:
ESET Scanner log
RKill log
Symantec Kovter Log

You can now reboot your computer.

Member of the Bleeping Computer A.I.I. early response team!


#8 Groffeaston

Groffeaston
  • Topic Starter

  • Members
  • 518 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easton,PA
  • Local time:06:49 PM

Posted 02 May 2016 - 10:52 PM

Microsoft Security Essentials keeps picking up: Trojan:Win32/Kovter.C and Trojan:Win32/Kovter.gen!A

I ran into a little problem while trying to download and install the programs you wanted me to install and run. The Problems: when I went to download them they initially failed to download properly or download totally. I had to try it several times before they downloaded properly,  Then when I started to download those programs and then do the scans: Microsoft Security Essential tarted a scan and that ended fouling everything up!! It shutdown/froze Firefox and would not allow me to close/shutdown Microsoft Security Essentials!! It lasted for close to 45 minutes to 1 hour, when Microsoft Security Essentials got unfroze I had to restart my computer and then Microsoft Security Essentials did an Update and then picked up the 2 above trojans. I took a screenshot of the quarantine log on Microsoft Security Essentials and will include that below so that you can see the date and time when it detected the items.

That is when I downloaded and ran the programs as directed.  I will post what I have so far and when the ESET scan is done I will post that. Why? Do to the pain in my back from back surgery. lol The last scan ESET did on my computer took over 7 hours and it is now just under 2 hours!


kill 2.8.4 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2016 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 05/02/2016 09:08:29 PM in x86 mode.
Windows Version: Windows Vista ™ Home Premium Service Pack 2

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * DFSR [Missing Service]

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * HOSTS file entries found:

  127.0.0.1       localhost
  127.0.0.1    www.007guard.com
  127.0.0.1    007guard.com
  127.0.0.1    008i.com
  127.0.0.1    www.008k.com
  127.0.0.1    008k.com
  127.0.0.1    www.00hq.com
  127.0.0.1    00hq.com
  127.0.0.1    010402.com
  127.0.0.1    www.032439.com
  127.0.0.1    032439.com
  127.0.0.1    www.0scan.com
  127.0.0.1    0scan.com
  127.0.0.1    www.1000gratisproben.com
  127.0.0.1    1000gratisproben.com
  127.0.0.1    1001namen.com
  127.0.0.1    www.1001namen.com
  127.0.0.1    100888290cs.com
  127.0.0.1    www.100888290cs.com
  127.0.0.1    www.100sexlinks.com

  20 out of 15472 HOSTS entries shown.
  Please review HOSTS file for further entries.

Program finished at: 05/02/2016 09:17:14 PM
Execution time: 0 hours(s), 8 minute(s), and 44 seconds(s)
 

 

The FixtTool32 did not detect anything so therefore did not create a log.

I am just waiting for the ESET scan to end, but as of right now it detected 9 items mostly "google toolbar" and 1 other Trojan that did not get detected before. As soon as it gets done I will post those results! ESET scan is now at 2 hours 10 minutes!

Time to go relax in the my dad's lift chair to ease the pain in my back! lol

 

 

I tried to include the screenshot of Microsoft Security Essentials But it would not let me add it, and I do not know how to add it any other way!



#9 Groffeaston

Groffeaston
  • Topic Starter

  • Members
  • 518 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easton,PA
  • Local time:06:49 PM

Posted 03 May 2016 - 04:24 AM

Hello again, here is the results of the ESET scan:

C:\Users\Matthew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFIOQQRN\3483[1].htm    JS/Exploit.Agent.NLQ trojan    cleaned by deleting
C:\Users\Matthew\Downloads\ccsetup506.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application    deleted
C:\Users\Matthew\Downloads\ccsetup507.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application    deleted
C:\Users\Matthew\Downloads\ccsetup508.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application    deleted
C:\Users\Matthew\Downloads\ccsetup509.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application    deleted
C:\Users\Matthew\Downloads\ccsetup510.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application    deleted
C:\Users\Matthew\Downloads\dfsetup219.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application    deleted
C:\Users\Matthew\Downloads\dfsetup220.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application    deleted
C:\Users\Matthew\Downloads\dfsetup221.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application    deleted
C:\Users\Matthew\Downloads\Windows Live Photo Gallery Setup.exe    a variant of Win32/DownloadAssistant.A potentially unwanted application    cleaned by deleting
 



#10 Groffeaston

Groffeaston
  • Topic Starter

  • Members
  • 518 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easton,PA
  • Local time:06:49 PM

Posted 03 May 2016 - 04:48 AM

I restarted/rebooted my computer and I can tell "it" is still there! How? Well Windows starts up 2 little boxes that look like window/page/program indicators on the bottom "Task-bar" open up. They are as follows:
1) f2215 
2) e4187

I hope this helps.



#11 Slurppa

Slurppa

  • Malware Study Hall Senior
  • 564 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:49 AM

Posted 03 May 2016 - 08:15 AM

Hello Groffeaston

I think its time move to using more sophisticated tools.


Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

Member of the Bleeping Computer A.I.I. early response team!


#12 Groffeaston

Groffeaston
  • Topic Starter

  • Members
  • 518 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easton,PA
  • Local time:06:49 PM

Posted 03 May 2016 - 07:58 PM

I made a new topic like you requested:

 

http://www.bleepingcomputer.com/forums/t/612948/need-help-getting-rid-of-kovter/
 

Thanks for the help!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users